Candidate: CVE-2017-2825
PublicDate: 2018-04-20 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2825
 http://www.talosintelligence.com/reports/TALOS-2017-0326%20/
 https://support.zabbix.com/browse/ZBX-12075
Description:
 In the trapper functionality of Zabbix Server 2.4.x, specifically crafted
 trapper packets can pass database logic checks, resulting in database
 writes. An attacker can set up a Man-in-the-Middle server to alter trapper
 requests made between an active Zabbix proxy and Server to trigger this
 vulnerability.
Ubuntu-Description:
 It was discovered that Zabbix incorrectly handled certain requests. A remote
 attacker could possibly use this issue to execute arbitrary code.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863584
Priority: high
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L [7.0 HIGH]

Patches_zabbix:
upstream_zabbix: released (1:3.0.7+dfsg-3)
precise/esm_zabbix: DNE
trusty_zabbix: ignored (out of standard support)
trusty/esm_zabbix: needed
vivid/stable-phone-overlay_zabbix: DNE
vivid/ubuntu-core_zabbix: DNE
xenial_zabbix: ignored (end of standard support, was needed)
yakkety_zabbix: ignored (reached end-of-life)
zesty_zabbix: ignored (reached end-of-life)
artful_zabbix: not-affected (1:3.0.7+dfsg-3)
bionic_zabbix: not-affected (1:3.0.7+dfsg-3)
cosmic_zabbix: not-affected (1:3.0.7+dfsg-3)
disco_zabbix: not-affected (1:3.0.7+dfsg-3)
eoan_zabbix: not-affected (1:3.0.7+dfsg-3)
focal_zabbix: not-affected (1:3.0.7+dfsg-3)
groovy_zabbix: not-affected (1:3.0.7+dfsg-3)
hirsute_zabbix: not-affected (1:3.0.7+dfsg-3)
impish_zabbix: not-affected (1:3.0.7+dfsg-3)
jammy_zabbix: not-affected (1:3.0.7+dfsg-3)
devel_zabbix: not-affected (1:3.0.7+dfsg-3)